Users with ADMIN profile

TheMSsForum.com: The Microsoft Software Forum

Hi,

We network at present is as follows:
We have both a NT and 03 Domain. There is a two way trust between the NT4
and Windows 2003 server. The client machines are either Win2k or XP Pro with
the latest service packs.

The users logon to the 03 domain and are authenticated etc via this domain.
The problem i have is that unless the users are a member of the Domain Admins
group, certain programs on their pc will not work. Of course i dont want
everyone playing about with the domain and have such a high security access.

To setup a basic user on the windows xp or win2k, do they need to be a
member of the local machine interms of security. Can i give everyone
differnet access via the Group policy editor.

Thanks for your help

Mo
Top

Re: Users with ADMIN profile by Adam

Adam
Mon Dec 19 10:17:17 CST 2005

=?Utf-8?B?bWFobWFk?= <mahmad@discussions.microsoft.com> wrote in
news:73D66B64-4954-447A-B97B-EBE4CC3F8C35@microsoft.com:

> Hi,
>
> We network at present is as follows:
> We have both a NT and 03 Domain. There is a two way trust between
> the NT4 and Windows 2003 server. The client machines are either
> Win2k or XP Pro with the latest service packs.
>
> The users logon to the 03 domain and are authenticated etc via
> this domain. The problem i have is that unless the users are a
> member of the Domain Admins group, certain programs on their pc
> will not work. Of course i dont want everyone playing about with
> the domain and have such a high security access.
>
> To setup a basic user on the windows xp or win2k, do they need to
> be a member of the local machine interms of security. Can i give
> everyone different access via the Group policy editor.

Use Filemon and Regmon to find the permission issues and then open
those files/registry entries up in GP:

http://aleinsstechtips.blogspot.com/2005_09_01
_aleinsstechtips_archive.html

Also, you can make their a local administrator on their box, but that
is not recommended.

Adam
Top

Re: Users with ADMIN profile by mahmad

mahmad
Mon Dec 19 11:32:02 CST 2005

Hi Adam,

Thanks for your reply, how do i go about doing what u suggest, does it have
to be on local machines, or on the server etc.

Thanks

M

"Adam Leinss" wrote:

> =?Utf-8?B?bWFobWFk?= <mahmad@discussions.microsoft.com> wrote in
> news:73D66B64-4954-447A-B97B-EBE4CC3F8C35@microsoft.com:
>
> > Hi,
> >
> > We network at present is as follows:
> > We have both a NT and 03 Domain. There is a two way trust between
> > the NT4 and Windows 2003 server. The client machines are either
> > Win2k or XP Pro with the latest service packs.
> >
> > The users logon to the 03 domain and are authenticated etc via
> > this domain. The problem i have is that unless the users are a
> > member of the Domain Admins group, certain programs on their pc
> > will not work. Of course i dont want everyone playing about with
> > the domain and have such a high security access.
> >
> > To setup a basic user on the windows xp or win2k, do they need to
> > be a member of the local machine interms of security. Can i give
> > everyone different access via the Group policy editor.
>
> Use Filemon and Regmon to find the permission issues and then open
> those files/registry entries up in GP:
>
> http://aleinsstechtips.blogspot.com/2005_09_01
> _aleinsstechtips_archive.html
>
> Also, you can make their a local administrator on their box, but that
> is not recommended.
>
> Adam
>
Top

Re: Users with ADMIN profile by Adam

Adam
Mon Dec 19 11:54:13 CST 2005

=?Utf-8?B?bWFobWFk?= <mahmad@discussions.microsoft.com> wrote in
news:42B5B845-6896-4496-9E79-973793A8B20A@microsoft.com:

> Hi Adam,
>
> Thanks for your reply, how do i go about doing what u suggest,
> does it have to be on local machines, or on the server etc.

You would do this from their workstation, running the applications
having permission issues. Using Regmon and Filemon, you discover what
permissions need to be opened up. You would then go back to the server
and input these changes into Group Policy so they propagate throughout
the whole enterprise. If you have a lot of applications, this could
take quite a while, but no one ever said security was easy. :)

Adam


Top

Re: Users with ADMIN profile by Steven

Steven
Mon Dec 19 19:38:45 CST 2005

They absolutely do not need to be members of the domain admins group and at
the worst they would need to be a local administrator on their domain
computer. You also could try making them a power user [or apply the
compatws.inf security template] on their local computer. Beyond that you
would have to look at tweaking permissions for the folders that the
application uses and possibly the HKLM software key for the application. The
usual places where you may need to give the user
read/list/execute/write/modify permissions is the application folder in the
program files folder, any subfolder for the application in the program
files\common files folder, and possibly any subfolder for the application in
the documents and settings\all users\application data folder. --- Steve


"mahmad" <mahmad@discussions.microsoft.com> wrote in message
news:73D66B64-4954-447A-B97B-EBE4CC3F8C35@microsoft.com...
> Hi,
>
> We network at present is as follows:
> We have both a NT and 03 Domain. There is a two way trust between the NT4
> and Windows 2003 server. The client machines are either Win2k or XP Pro
> with
> the latest service packs.
>
> The users logon to the 03 domain and are authenticated etc via this
> domain.
> The problem i have is that unless the users are a member of the Domain
> Admins
> group, certain programs on their pc will not work. Of course i dont want
> everyone playing about with the domain and have such a high security
> access.
>
> To setup a basic user on the windows xp or win2k, do they need to be a
> member of the local machine interms of security. Can i give everyone
> differnet access via the Group policy editor.
>
> Thanks for your help
>
> Mo


Top

Re: Users with ADMIN profile by mahmad

mahmad
Tue Dec 20 10:16:06 CST 2005

Hi guys,

Thanks for getting back to me, but i have never run the two programs you
suggest, how do i go about running them to find out what shares are
necessary, please provide step by step instructions, or a link.

Thanks for your help

M

"Adam Leinss" wrote:

> =?Utf-8?B?bWFobWFk?= <mahmad@discussions.microsoft.com> wrote in
> news:42B5B845-6896-4496-9E79-973793A8B20A@microsoft.com:
>
> > Hi Adam,
> >
> > Thanks for your reply, how do i go about doing what u suggest,
> > does it have to be on local machines, or on the server etc.
>
> You would do this from their workstation, running the applications
> having permission issues. Using Regmon and Filemon, you discover what
> permissions need to be opened up. You would then go back to the server
> and input these changes into Group Policy so they propagate throughout
> the whole enterprise. If you have a lot of applications, this could
> take quite a while, but no one ever said security was easy. :)
>
> Adam
>
>
>
Top